Last September, hackers broke into as many as 2.27 million accounts of a computer cleaning program while targeting telecom equipment companies in the United States, Japan, South Korea and Taiwan.

When Avast, which owns the program, looked at the computer logs, it found just 23 compromised computers at eight different companies. The hackers’ program was specifically looking for companies on a list of telecom equipment manufacturers and a few telecommunication companies, attacking many but only infecting a portion.

Avast’s CCleaner software had a backdoor encoded into it by someone who had access to the supply chain, the main executable in v5.33.6162 had been modified.

The attack’s analysis we did, showed a strong code connection between a unique implementation of base64 only previously seen in APT17 making a strong case about attribution to the same threat actor. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted specializing in supply chain attacks.

Our investigation got us to the conclusion that the complexity and quality of the CCleaner attack was most likely state-sponsored most probably to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout.

In this talk we will demonstrate techniques used to analyze the code that led to those interesting findings. We will describe the attack process and technical flow in details.

The findings and methods we will discuss, have been previously published in two different blogpost and got extensive coverage in the media as well as the DFIR and infosec community.

Jay Rosenberg is a Senior Security Researcher at Intezer Labs. Originally from New York, he is now currently based in Tel Aviv. He is 25 years old and begun programming as well as reverse engineering at the age of 12. Expertise and specializing in malware analysis, x86 assembly, memory analysis, and Windows system internals. Having worked on everything from analyzing and attributing the largest cyber attacks in the past year to being in charge of the research behind our products focusing on code reuse detection at Intezer.